Falcon too timid for HSBC

HSBC is planning to extend the real time anti-fraud monitoring system it uses for debit and credit card transactions to also monitor online banking transactions, setting itself a five-year deadline to complete the global project - but Australian customers of the bank will be among the last to benefit.

In Australia the bank is still using FICO's Falcon system to monitor card transactions, but the bank's head of group fraud risk, Derek Wylde, who is in Sydney this week, says that this will be replaced in 2011 with a SAS Institute solution that the bank has been progressively rolling out internationally since 2007.

The SAS fraud management system is currently being used by HSBC in the US, UK and nine countries across Asia. Wylde explained that the system now covers 70 to 80 per cent of the bank's active cards, with credit and debit card transactions monitored in real time.

Besides catching up with the local HSBC subsidiary's progress during his visit, Wylde will also, "Work with SAS in promoting the solution we have used to their potential customers," saying that visits to "the majors" had been scheduled during his visit.

The solution is based on a series of statistical models that have been built for the bank by SAS Institute. Underpinning the models are 12 months of genuine HSBC transaction data, and 12 months of confirmed fraud data. "SAS uses that to build a customer signature or profile," said Wylde.

"It understands risky countries and risky merchants and can identify transactions that seem different from your usual character."

Using the profiles, the system can spot transaction anomalies which trigger alerts being sent either via a call centre, or by SMS to a customer's mobile phone. If the customer verifies a transaction it will be processed as normal, if not "then we block the card so there is no more spend, reissue the client with a new card and try and recover the funds."

In extreme cases where the transaction appears very unusual it will be automatically blocked, said Wylde.

While the advent of chip and PIN cards has started to make an impact in those countries which have moved to the system, "It does nothing to protect the online channel and that is where we are seeing most fraud at the moment," said Wylde. He said fraud, measured as a percentage of global sales, was running around 10 basis points, with a third coming from the use of counterfeit cards, a third from online fraud (where the card is not present during the transaction) and a third arising where cards have been intercepted and used fraudulently (for example taken from mail boxes).

Five years ago online fraud accounted for only about five per cent of all fraud, said Wylde, but this has been growing rapidly as demand for online banking continues to soar.

"Our strategy is to take the SAS solution and extend it - for example to online banking," he said. HSBC plans to use the SAS system to screen internet bank sessions, which in concert with real-time card transaction screening will give the bank a more comprehensive view of the customer.

"The endgame is rather than have credit card, debit card and online banking looked at by different groups we will have one team. It may be that three independent events do not breach guidelines, but when you look at them together you may find that a customer's card is being used in Australia when they are apparently logged onto online banking at the same time in Hong Kong," which would clearly set the alarm bells ringing.

HSBC plans to pioneer this three-pronged approach in Hong Kong starting next year, progressively rolling the system out across the bank's international network.

"HSBC has a lot of legacy systems. As we standardise the core systems we will roll this out," said Wylde, who confirmed that in IT terms this was "not a trivial undertaking."

Nevertheless he said, "We hope to complete this over the next five years."